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Abstract 

The  security  of  the  Internet  can  be  improved  using  reconfigurable  hardware.  A  platform  has  been 
implemented  that  actively  scans  and  filters  Internet  traffic  at  multi-Gigabit/second  rates  using 
reconfigurable  hardware.  Modular  components  implemented  in  FPGA  logic  process  packet 
headers  and  scan  for  signatures  of  malicious  software  (malware)  carried  in  packet  payloads. 
Additional  FPGA  circuits  track  the  state  of  Transmission  Control  Protocol  (TCP)  flows.  Regular 
Expressions  and  fixed-string  scanning  circuits  are  implemented  in  parallel  hardware.  Dynamic 
reconfiguration  enables  remote  modules  to  be  reconfigured  to  scan  for  new  signatures.  Network¬ 
wide  protection  is  achieved  by  the  deployment  of  multiple  systems  throughout  the  Internet. 

Introduction 

Computer  viruses  and  Internet  worms  cause  billions  of  dollars  in  lost  productivity.  Well-known 
Internet  worms  like  Nimda,  Code  Red  and  Slammer  contain  strings  of  malicious  code  that  can  be 
detected  as  they  flow  through  the  network.  By  processing  the  content  of  Internet  traffic  in  real¬ 
time,  a  computer  vims  or  Internet  worm  can  be  detected  and  prevented  from  propagating.  Our 
system  scans  the  full  payload  of  packets  to  route,  block,  and  account  for  the  content  in  the  flow. 
One  challenge  in  implementing  the  system  was  that  the  location  of  a  signature  in  the  packet 
payload  was  not  deterministic-it  could  appear  at  any  position  within  the  traffic  flow.  Another 
challenge  to  implementing  the  system  was  that  signatures  could  span  multiple  packets  and  be 
interleaved  among  multiple  traffic  flows.  The  paper  will  describe  how  these  challenges  were  met 
and  overcome. 

Related  Work 

A  common  requirement  for  network  intrusion  detection  and  prevention  systems  is  the 
requirement  to  search  for  predefined  signatures  in  the  packet  payload.  Since  conventional 
software-based  algorithms  for  deep  packet  inspection  have  not  kept  pace  with  high-speed 
networks,  hardware-based  solutions  are  desirable.  Hence,  important  building  blocks  of  these 
systems  include  fast  signature  matching  and  protocol  processing  circuits.  Most  systems  in  this 
class  have  a  common  requirement  for  string  matching.  For  example,  a  media  file  can  be 
characterized  by  the  presence  of  a  string  of  bytes  (for  the  rest  of  the  paper,  a  string  is  synonymous 
to  a  signature)  and  its  transmission  across  a  link  can  be  monitored  by  looking  for  the  presence  of 
this  string  on  the  link. 

Key  Contribution 

Our  key  contribution  is  to  envision,  design  and  develop  a  cohesive  malware  protection  system 
that  includes  an  FPGA-based  network  platform,  Internet  protocol  processing  circuits,  content 
matching  modules,  and  automated  design  tools  to  enable  the  implementation  and  timely  updating 
of  network  security  applications  in  reconfigurable  hardware.  The  system  allows  for  the 
immediate  blocking  of  known  viruses  and  may  be  rapidly  reprogrammed  to  recognize  and  block 
new  threats.  These  upgrades  are  system-driven,  and  are  not  dependant  upon  actions  by  the  end 
users  to  assure  that  the  protection  remains  up  to  date. 
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The  system’s  foundation  is  the  Field-programmable  Port  Extender  (FPX),  which  is  implemented 
with  two  FPGAs,  five  banks  of  memory  and  two  high-speed  (OC-48  rate)  network  interfaces.  The 
network  interfaces  connect  to  one  of  several  types  of  Gigabit-speed  line  card  interface  cards, 
including  several  types  of  Gigabit  Ethernet  and  ATM  interfaces.  On  the  FPX,  one  FPGA  is  used 
to  route  individual  traffic  flows  through  the  device,  while  the  other  is  dynamically  reconfigured 
over  the  network  to  perform  customized  packet  processing  functions.  Using  the  latest  FPGA 
technology,  the  system  could  easily  scale  to  process  10  Gigabit/second  OC-192  flows. 

A  TCP/IP  wrapper,  implemented  in  FPGA  logic,  reconstructs  the  flow  of  transmitted  data  by 
tracking  sequence  numbers  of  consecutive  packets  to  provide  a  byte-ordered  data  stream  to  the 
content  scanning  engines.  This  means  that  even  if  a  malware  signature  has  been  fragmented 
across  multiple  packets,  it  still  will  be  detected  and  blocked.  In  order  to  maintain  the  state  of 
multiple  traffic  flows,  the  system  architecture  has  been  designed  to  store  the  state  of  a  TCP/IP 
flow  in  memory.  Given  that  each  flow  occupies  64  bytes  of  memory,  one  512  Mbyte  SDRAM 
(about  half  of  the  memory  on  the  FPX)  module  can  track  8  million  simultaneous  traffic  flows. 

Two  methods  are  used  to  search  for  signatures:  a  finite  automata  scans  for  regular  expressions 
and  a  Bloom  filter  scans  for  fixed  strings.  The  number  of  regular  expressions  that  can  be 
searched  grows  with  the  amount  of  the  FPGA  logic  on  the  device,  while  the  number  of  fixed 
strings  that  can  be  searched  grow  with  the  size  of  on-chip  RAM.  A  Bloom  filter  allows  a 
scanning  engine  to  identify  up  to  1,700  fixed-length  strings.  Both  types  of  our  engines  can  scan 
traffic  at  traffic  at  600  Mbps.  By  implementing  four  engines  that  run  in  parallel,  the  FPX  can 
process  data  at  a  rate  of  2.4  Gigabits  per  second  using  a  single  Xilinx  Virtex  2000E  FPGA. 

An  automated  design  flow  builds  packet  scanning  circuits  in  hardware.  Custom  circuits  are  built 
by  an  automated  program  that  reads  a  list  of  signatures  from  a  database  table,  optimizes  each 
finite  automata,  integrates  Internet  protocol  processing  hardware,  compiles  the  circuit  into  gates, 
routes  and  places  the  circuit  into  a  FPGA,  and  then  reconfigures  remote  devices  over  the  network. 

Conclusions 

We  have  designed  and  developed  a  system  that  blocks  the  spread  of  Internet  worms  and  computer 
viruses.  Our  system  uses  reconfigurable  hardware  to  scan  Internet  traffic  for  malware.  Malware 
is  identified  by  signatures  that  may  consist  of  either  fixed  strings  or  regular  expressions.  TCP/IP 
flows  are  tracked  so  that  signatures  spanning  multiple  packets  can  be  detected.  An  automated 
design  flow  allows  new  circuits  to  be  rapidly  deployed  to  protect  the  network  against  new  attacks. 
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Internet  Worms  and  Viruses 


•  The  problem  with  worms  and  virus  attacks 

-  Annoyance  to  users 

-  Costly  to  businesses  (lost  productivity) 

-  Security  threat  to  government  (compromised  data) 

•  Recent  Attacks 

-  Nimda,  Code  Red,  Slammer 

-  MSBIast 

•  Infected  over  350,000  hosts  in  Aug.  16,  2003 

-  SoBigF 

•  Infected  1  million  users  in  first  24  hours 

•  Infected  >  200  million  in  the  first  week 

•  Caused  an  estimated  $1  billion  in  damages  to  repair. 

•  Detectable  by  a  Signature  in  Content 

-  Pattern  of  bytes 

-  Regular  Expression 

-  Morphable  pattern 


University  in  St  Louis 


GWBAL 

/VELOCITY 


Challenges  to  Stopping 
Worm  and  Virus  Attacks 


•  End-systems  difficult  to  maintain 

-  Operating  systems  become  outdated 

-  Users  introduce  new  machines  on  network 

•  Internet  contains  several  types  of  traffic 

-  Web,  file  transfers,  telnet 

-  Data  may  appear  anywhere  in  the  packet 

•  Networks  process  High  Speed  Data 

-  Multi  Gigabit/second  data  transmission  rates  now  commonplace 
in  campus,  corporate,  and  backbone  networks 

-  Peer-to-Peer  protocols  dominate 
current  and  future  traffic 

-  Need  Real-time  gathering 

•  No  latency  can  be  tolerated 
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Virus/Worm/Data  Spread  in 
Unprotected  Networks 
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Virus/Worm/Data  Spread  in 
Unprotected  Networks 


©Washington 

University  in  St.  Louis 


GWBAL 

/VELOCITY 


Virus/Worm/Data  Spread  in 
Unprotected  Networks 
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Virus/Worm/Data  Spread  in 
Unprotected  Networks 
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Virus/Worm/Data  Containment 
in  Protected  Networks 
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^mcity  Content  Scanning  Technology 


•  Fiber  optic  Line  Cards 

-  Gigabit  Ethernet 

-  ATM  OC-3  to  OC-48 

Reconfigurable  Hardware 

-  Uses  Field  Programmable 
Port  Extender  (FPX)  Platform 

-  Protocol  processing  and  content 
scanning  performed  in  hardware 

-  Reconfigurable  over  the  network 

•  Chassis  /  Motherboard 

-  Allows  Modules  to  Stack 
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Field-programmable 
Port  Extender  (FPX) 


Off -chip 
Memories 


Off -chip 
Memories 


Subnet  B 
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Network 
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Device 
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2.4  Gigabit/sec 
Network 
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Remotely  reprogramming 
hardware  over  the  network 


New 

module 

developed 


Content  Matching 
Server  generates 
New  module  in 
programmable 
Logic 


Module 

Bitfile 

transmitted 
over  network 


New  module 
deployed  into 
FPX  hardware 
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Data  Scanning  Technologies 

•  Protocol  Processing 

-  Layered  Protocol  Wrappers 

-  Process  Cells/frames/packets/flows  in  hardware 

•  Regular  Expression  Matching 

-  Deterministic  Finite  Automata  (DFA) 

-  Dynamically  programmed  into  FPGA  logic 


•  Fixed  String  Matching 

-  Bloom  Filters 

-  Dynamically  programmed 
into  BlockRAMs 
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Regular  Expression  Matching 

with  Finite  Automata 


University  in  St.  Louis 


Moscola  et  al. 


^SbiY  Complete  Protection  System 


Network  Aggregation  Point 
(HAP] 


\  j  a  G  0  u  O  Q  d 

v □□□□□□□□ 

\oaaaDDaa  _ 

OODDODDD  \H7 


Router/ 

Switch 


Wishington 

University  in  St.  Louis 


System  Components 

•  Hardware-based  Data  Processing 

-  FPGA  bitfile  transferred  over  network 
to  reconfigurable  hardware 

-  Content  scanned  in  hardware  with 
parallel  Finite  State  Machines  (FSMs) 

-  Control  messages  sent  over  network 
allow  blocking/unblocking  of  data 

•  Software- based  System  Generation 

-  Web-based  control  and  configuration 

-  SQL  Database  stores  signature  patterns 

-  Finite  State  Machines  created  with  JLEX 

-  VHDL-specified  circuits  generated,  Instantiated,  and 
integrated  with  Internet  protocol  processing  wrappers 
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Edit  Search  strings 


Online  Support  -  Microsoft  Internet  Explorer 


File  Edit  View  Favorites  Tools  Help  HP 

Q  Back  -  Q  ’  @  @  ifj)  Jp Search  ^  Favorites  ^  Media  |j§]  -  ^  [g 


Address  http :  // 192. 168 . 50 . 5Q/aed_pmperty .  php?key = 1 33&op  =  1 


Go  Links 


SYSTEM  OVERVIEW 

PROGRAM  DED 

MANAGE  ACCOUNTS  ONLINE  SUPPORT 

Manage  DED  Library 


LjCITY 


Manage  DED  Library 


Click  "ADD"  to  generatate  a  new  entry. 


search_string:  !HEX(683063423739) 


description:  SoBigF  Internet  Worm  (MIME64) 

Author: 
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Value: 
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Program  the  Hardware 
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Define  which  device  will  be  modified. 

Server  Address:  flii".  fiii".  fso  .  [50 
DED  IP  Address:  flii".  |iss  .  |so  .  fi- 


Port  o  v  Stack  o  v 


Click  "Program  DED  Now"  below  to  modify  the 
predefined  hardware  devices. 

This  process  can  take  about  10  minutes. 


Program  DED  Now 
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Modular  Design  Flow 

(our  contribution) 


In-System, 
Data  Scanning 
on  FPX  Platform 


Install  and  deploy 
modules  over  Internet 
to  remote  scanners 
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Generate 
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(Xilinx) 


Set  Bound ry 
I/0& 
Routing 
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Back  End  (2): 
Generate 
Finite  State 
Machines  in 
VHDL 


Synthesize 
Logic  to  gates 
&  flops 

(Synplicity  Pro) 
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Network  Configuration 
with  Gigabit  Ethernet 


Data  Enabling  Device  (DED) 
with  FPX  Processing  Modules 


Gigabit  Ethernet 
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Passive  Virus  Protection 


Content 
returns  from 
Internet 
through  FPX 


Content  is 
processed  in 
the  FPX 


Content  containing 
virus  is  forwarded 
from  FPX 


INTERNET 
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Virus  Agent 
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The  message  you  are  downloading  may  contain  a  virus 

To  ensure  the  protection  of  your  system,  you  should 
use  caution  when  viewing  the  message. 
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from  Internet 


Alert  packet  is  sent 
to  user  to  let  them 
know  of  the  virus 


Internet  User 


©Washington 

University  in  St.  Louis 


Passive 

Virus 

Example 


SWishington 

University  in  St.  Louis 


bal 

LgCITY 


Active  Virus  Protection 


Content  containing 


llWishington 

University  in  St.  Louis 


BAL 

LjCITY 


Active 

Virus 

Example 


©Washington 

University  in  St.  Louis 


Other  Applications 

•  Prevent  unauthorized  release  of  data 

-  Secure  Classified  documents 

-  Lock  medical  documents  for  Health  Insurance 
Portability  and  Accountability  Act  (HIPAA) 

•  Avoid  liability  for  misuse  of  network 

-Copyright  infringement 

-  Pornography  in  the  workplace 
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Content  Scanning  Technologies 


General  Purpose  Microprocessors 

jes Fully  Reprogrammable 
X  Sequential  Processing 


Custom  Packet  Processing  Hardware 

•  Highly  concurrent  processing 
X  Static  Functionality 


Network  Processors 

^Mostly  Reprogrammable 
•  Some  concurrent  processing  (8-32  cores) 


1J 
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•  Reconfigurable  Hardware 

Fully  Programmable 
^Highly  concurrent  processing 
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FPGA-based  Regular  Expression 
Matching  with  Parallel  Engines 


Software-based  Regular  Expression 
Matching  Systems  (Snort,  etc) 


Throughput 
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Probability  of  Detection 


^ljcity  Actual  Software  Performance 


Top  Layer  Networks  S  Internet  Security  Systems 
Probability  of  Detection  vs  Percent  Uttlizati  on 
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Throughput  Comparison 

•  Sed  was  run  on  different  Linux  PCs 

-  Dual  Intel  Pentium  III  @  1  GHz 

•  13.7  Mbps  when  data  is  read  from  disk 

•  32.72  Mbps  when  data  is  read  from  memory 

-  Alpha  21 364  @  667  MHz 

•  36  Mbps  when  data  is  read  from  disk 

•  50.4  Mbps  when  data  is  read  from  memory 

•  Software  results  are  40x 
slower  than  FPsed 
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String  Processing  Benchmarks 
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‘^bny  Results 

•  Content  Scanning  Platform  Implemented 

-  Scans  Internet  packets  for  virus  or  Internet  worm 
signatures  using  reconfigurable  hardware 

-  Generates  prompts  when  matching  content  is  found 

•  Content  Matching  Server  Implemented 

-  Automatically  generates  FPGA  from  regular 
expressions  selected  from  database 

•  Regional  Transaction  Processor  implemented 

-  Tracks  propagation  of  Internet 
worms  and  viruses 


Reduces  the  spread  of  malware 
from  months  to  minutes 
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